SCIM provisioning with Okta

Dina Bennett
Dina Bennett
  • Updated

The integration between Okta and Ziflow uses the industry-standard SCIM (System for Cross-domain Identity Management) protocol to enable automated user provisioning. For more information, see this article to learn how Okta works with SCIM.

Available on: Enterprise

Prerequisites

Before you set up SCIM in your Okta admin dashboard, follow the guide on configuring the Okta SAML SSO connection with Ziflow.

Configuring SSO requires having admin access to the Ziflow account.

Supported provisioning actions

Ziflow supports the following provisioning features:

  • Push Users: Users in Okta who are assigned to the Ziflow application in Okta may be added as members to your account in Ziflow.

  • Import Users: Users created in Ziflow can be imported into Okta and either matched against existing Okta users or created as new Okta users.

Configure SCIM

Get your Ziflow API key

  1. Log into your Ziflow account with an account that has admin rights.

  2. Open your user profile and copy your API key from it.

Integrate Ziflow in the Okta admin portal

  1. Log in to Okta and add Ziflow to your applications list.

    Add ziflow application to your Okta apps directory


  2. Select the Provisioning tab from the application and select Configure API integration.

    Configure API integration in Okta

  3. Select Enable API integration and select Save.

    Enable API integration in Okta

  4. Enter the API key copied from your Ziflow account.

    Enter the API key copied from your Ziflow account

  5. Click on the Test API Credentials button, which will verify the entered key. If the test passes, select Save.

    Test API Credentials in Okta

  6. Select To App in the left panel, then select the Provisioning Features you want to enable.

    Select To App in the left panel, then select the Provisioning Features you want to enable.

Make sure to select Email for the Application username format on the Sign On application tab in Okta.

Credential details in Okta

Set up roles in Okta

After setting up provisioning, you can extend your configuration to include role-based assignments by adding profile editing. This enables user roles to be automatically defined and managed during provisioning.

Open the Profile Editor

  1. Select the Provisioning tab in your integration settings.
  2. Select To App and under Ziflow Attribute Mappings, select Go to Profile Editor.

    4.png

Add a role attribute and define role options

You can define roles using one of two options:

Option 1: Create an enumerated list of values

Use this configuration to assign a single-role to a user. When configured, you can choose one role in Okta from a drop-down list:

3.png

  1. In the Profile Editor, add a new attribute.

    Field Description
    Data type string
    Display name The name you want for the attribute.
    Variable name role
    External name role
    External namespace

    Enter urn:ietf:params:scim:schemas:core:2.0:User 

    This ensures the attribute applies to users being added or updated through provisioning.
    Description [optional] Add a description for your attribute
  2. Select Define enumerated list of values.

  3. In Attribute members, define the available Ziflow roles:

    Display name Value
    User ZIFLOW_USER
    Admin ZIFLOW_ADMIN
    Manager ZIFLOW_MANAGER
    Lite User ZIFLOW_LITE_USER


    image.png
     

  4. For Attribute type, select Personal.
  5. Select Save Attribute.

Option 2: Use a string value

Use this configuration to assign multiple roles to a single user as string. When configured, you can add the role names (For example: ZIFLOW_USER,ZIFLOW_ADMIN,ZIFLOW_MANAGER) separated by commas:

8.png

  1. In the Profile Editor, add a new attribute.

    Field Description
    Data type string
    Display name The name you want for the attribute.
    Variable name ziflow.role
    External name role
    External namespace

    Enter urn:ietf:params:scim:schemas:core:2.0:User 

    This ensures the attribute applies to users being added or updated through provisioning.
    Description [optional] Add a description for your attribute

    image (5).png
     

  2. For Attribute type, select Personal.
  3. Select Save Attribute.
If ZIFLOW_LITE_USER is combined with any other role, Ziflow will ignore the Lite User role and apply only the other roles.
For example, a user with ZIFLOW_LITE_USER,ZIFLOW_ADMIN,ZIFLOW_USER will be provisioned as an Admin and User, and the Lite User role will be ignored.

Assign users to the Ziflow application in Okta

  1. In Okta, click the Assignments tab of the Ziflow application:

  2. Select Assign, then People. Select the team members you'd like to assign to the Ziflow application.

    Select the team members you'd like to assign to the Ziflow application.

  3. In the Role field, select or enter the appropriate role (depending on how you set up your roles).

    3.png8.png

    The team member will be provisioned in Ziflow with the specified role automatically applied.

Known issues

We currently do not support the following provisioning actions:

  • pushing profile updates

  • pushing groups

  • importing groups

Related articles

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.